Thursday Jan 19, 2006

Solaris Ethernet bridging

  We are kicking off one project named 'Ethernet bridging' to make Solaris virtualization ready, particularly ready to be Xen domain0. Basically an Ethernet bridge enable Xen domain0 to work as a 802.1D bridge to the other Xen user domains.

  In paralell, we kicked off one CDDL open source project for it, which is hosted in
  http://www.opensolaris.org/os/project/ethbridge

Monday Aug 08, 2005

IPFilter code merge

Solaris firewall will see the up-to-date features in open source IPFilter soon

  IPFilter is the a mature and robust firewall traditionally popular on BSD like systems, though it is a mutliple-OS product. With the release of Solaris 10, IPFilter is the default firewall instead of the previous SunScreen, However, it is based on the open source ip_fil4.0.x, which was available at the time when the Solaris networking team was evaluating/choosing the firewall and then tuning it against the Solaris operating environment.

  With time, the open source IPFilter has evolved much and now ip_fil4.1.8 is available. We are planning a bidirectional code merge project to update the Solaris IPFilter on ip_fil4.1.8. Additionally the open source community can benefit from our work too in that quite a few bug fixes, several of which are pretty critical, and one or two features, say, IPv6 enabled ippool will be integrated into the open source version.

Friday Jun 24, 2005

IPFilter 的启动和关闭

  IPFilter 是 Solaris 10 自带的防火墙。在 Solaris 10 上IPFilter 的启动和关闭是由 SMF 管理的, 这与以前有了一些变化。
  具体的说, SMF是靠管理与IPFilter相关的两个 services(pfil & ipfilter) 来实现IPFilter的管理。可以用下面的命令看这两个service的property

#> svcprop pfil
#> svcprop ipfilter

 当pfil和ipfilter都处于 online 状态的时候,Solaris的防火墙才起作用。缺省安装pfil是online的, 但ipfilter是offline的, 所以ipfilter并不起作用。这就是为什么管理员即使 在 /etc/ipf/ipf.conf 配置了 rules,但是IPFilter系统仍然不起作用的原因了。(重启也无用)

启动它很简单:
#>svcadm enable ipfilter
关闭它也得用SMF来完成。
#>svcadm disable ipfilter

注意:通过SMF启动和关闭ipfilter是永久有效的,即使reboot也会保留。

Monday May 23, 2005

IPFilter status

  IPFilter is very close to finish IPv6 support in Solaris10. I am intending to putback the IPv6 code to onnv(The developed Solaris11) in a couple weeks. After 4 weeks' soak time, Solaris10 update will see the IPv6 packet filtering works. :)

  In addition to functionalities available in IPv4, IPFilter can distinguish the traffice by matching extension header not existant in IPv4. NAT, the main usage in IPv4, is not available any more.
NAT is mainly one solution of IP address shortage, there is no such requirement in IPv6. So simply we skip the feature.

  IP pool is modified to IPv6 enabled from the userland command through the kernel module. Pools of IPv4/IPv6/IPv4&6 address are allowed, which lead to easy management.

  I am wondering if it make much sense to make IPFilter SNMP managable and then easily centralized management. Also I am interested in the idea of GUI interface for the IPFilter. Pls make comments. :)

About

yukun

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today